A critical OS command injection vulnerability in the GeoVision GV-I/O Box 4E allows unauthenticated attackers to execute arbitrary system commands by manipulating gateway configuration parameters.

The CNetSetObj::m_F_n_Set_Gate_way function contains a command injection flaw due to insufficient input validation. An unauthenticated attacker can exploit this by sending a crafted request to the DVRSearch service or Network.cgi to execute arbitrary commands.

With a CVSS score of 9.1, this vulnerability is classified as critical. Exploitation could result in a complete loss of confidentiality, integrity, and availability of the affected device, potentially facilitating further attacks on the internal network infrastructure.

Immediate Action: Apply the latest firmware update for the GeoVision GV-I/O Box 4E as specified by the vendor.

Proactive Monitoring: Monitor system logs for unusual execution patterns or unauthorized modification of network routing configurations.

Compensating Controls: Utilize a Web Application Firewall (WAF) or network ACLs to block unauthorized access to the device's management endpoints until the patch is applied.

Public Exploit Available: Unknown

The ease of triggering this command injection makes it an attractive target for attackers. It is imperative that security teams verify their firmware versions and deploy the necessary updates to secure the device against unauthorized remote command execution.